In Progress [CPANEL-33077] Letsencrypt transition to ISRG’s Root (Important!!!!!)

[spmfox117]

I've worked around this by using the cPanel provider and re-running autossl. After a few minutes the new certificates are ordered from cPanel and it works.

However I'm not happy about this, I wanted to use LetsEncrypt on purpose. I feel this issue got basically ignored because cPanel has its own provider. Especially just days after the yearly price increase we all have come to expect.

 

[Kent Brockman]

Also here. CENTOS 7.9 kvm - v98.0.8
I'm recommending customers to move out imap/pop3/smtp from SSL to non-secure connections. Ugly solution. But it's a workaround.

 

[tui]

Any update on this? cPanel just send us a email for a new price increase for useless updates but a lot of bugs and problems with every update, now we have a outage for this problem something that cpanel had to have foreseen, issues and problems like this are things that cpanel should bring in updates and not useless updates, i dont know why should i paid more for something that cpanel is not working and is not in focus, cpanel has been breaking down these last two years, its a shame

 

[cPRex]

At this time, the official workaround is to reinstall the Let's Encrypt certificates without the CA bundle included, and that will force the system to download and install the updated root certificate.

We've also posted an update to our guide here with additional details about how this gets handled in various operating systems: DST Root CA X3 Expiration and Let's Encrypt

 

[cPRex]

Update - we're still working to see if there is a better solution available, and I'll be sure to post once I have something.

 

[clook]

At this time, the official workaround is to reinstall the Let's Encrypt certificates without the CA bundle included, and that will force the system to download and install the updated root certificate.

We've also posted an update to our guide here with additional details about how this gets handled in various operating systems: DST Root CA X3 Expiration and Let's Encrypt

Unless I misunderstand what you're saying, this doesn't help here. We have systems where the up to date packages are applied (as per your guide), valid AutoSSL certificates are in place as viewed in CPanel etc., but SNI on dovecot, for instance, doesn't work (users are always served the incorrect cpanel issued cert matching the server hostname, rather than the Lets Encrypt issued certificate). This breaks *all* clients, even ones that support the new LE chain, because they're not getting the LE cert at all now.

 

[cPRex]

@clook - we understand that now, and I'll post more details as soon as I have them.

 

[tui]

At this time, the official workaround is to reinstall the Let's Encrypt certificates without the CA bundle included, and that will force the system to download and install the updated root certificate.

We've also posted an update to our guide here with additional details about how this gets handled in various operating systems: DST Root CA X3 Expiration and Let's Encrypt

Workaround is not working... im on centos 7 i have the latest ca-certificates-2021.2.50-72.el7_9.noarch, and i still having the issues

 

[coursevector]

same

 

[dandadude]

Workaround not working for me either.

rpm -q ca-certificates
ca-certificates-2021.2.50-72.el7_9.noarch

yum -y update ca-certificates
No packages marked for update

Should we remove the package and install again?


CLOUDLINUX 7.9
cPanel v98.0.8

 

[Rhuan]

Same here, hundreds servers managed by my company offline at this moment.

 

[Hostseo Limited]

We also update ca-certificate to latest version, ca-certificates-2021.2.50-72.el7_9.noarch. AutoSSL showing this log for any domains:


Certificate expiry: 12/29/21, 4:26 PM UTC (89.96 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (2:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (3:10:CERT_HAS_EXPIRED).

 

[dandadude]

Wonder if "rpm -e --nodeps ca-certificates-2021.2.50-72.el7_9.noarch" and reinstalling would help, but it has so many dependencies that I would rather wait for an official solution

 

[mtindor]

On CloudLinux 6 ELS I was given a link (by CloudLinux) for updated OpenSSL packages. I'm not sure that I'm privy to share the link because I don't know if I'm a "guinea pig"

I can say that after installing the update and restarting all services ( those showing need for restarting via /usr/bin/needs-restarting), at least some things work now

1. AutoSSL seems to run and proper process new certs (except that Lets Encrypt throttled my attempt to "Run AutoSSL for all users") so not all were updated.
2. www.customerdomain.com/cpanel and www.customerdomain.com/webmail now work without cert warnings
3. some previously expired website certs are now working

BUT, I have not been able to confirm that Exim/Dovecot are working (when people connect to mail.theirdomain.com over SSL)

Mike

 

[mtindor]

On CloudLinux 6 ELS I was given a link (by CloudLinux) for updated OpenSSL packages. I'm not sure that I'm privy to share the link because I don't know if I'm a "guinea pig"

I can say that after installing the update and restarting all services ( those showing need for restarting via /usr/bin/needs-restarting), at least some things work now

1. AutoSSL seems to run and proper process new certs (except that Lets Encrypt throttled my attempt to "Run AutoSSL for all users") so not all were updated.
2. www.customerdomain.com/cpanel and www.customerdomain.com/webmail now work without cert warnings
3. some previously expired website certs are now working

BUT, I have not been able to confirm that Exim/Dovecot are working (when people connect to mail.theirdomain.com over SSL)

Mike

I can confirm that Dovecot / Exim are not using the certificates, even though they are valid . Im not sure how to force those services to start using the certs again. Because of that, I can't confirm that EVERYTHING is fixed. Anyone know how to force the email service (dovecot / exim) to use the customer-domain certs that are valid?

Mike

 

[smurf]

Just tried switching to cPanel powered by Sectigo and receive this error when running AutoSSL:

The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

I'm guessing everyone else is trying the same switch and cPanel can't handle it?

 

[mtindor]

Assuming all SSL certs are renewed / valid :

It would be great if somebody at cPanel would tell us how to rebuild all of the sni information so that Dovecot, Exim, and FTP make use of them.

 

[tui]

This is what happen when cPanel try to focus on make money with price increases and ugly themes instead of important things, this thread was created in jun 2020 and cPanel just let it pass, now that this exploded they are over time trying to fix it or figure how to workaround this.. meanwhile thousands of users and servers are facing this and dealing with this and waiting for a cPanel fix or telling clients that they need to reconfigure their mails clients, thousands of clients dont even know how to put a mail account on their devices and they depend of support teams or tech guy... imagine that suddenly nobody in your company can access to their mail account and you have employees in other countries that depend of mails... how can you deal with 100 or 1000 devices to reconfigure them in a insecure way temporally because cpanel is not working and is playing with drawings, sand and useless updates since the last 2 years? now multiply this by all companies affected by this and in pandemic with home office... but cpanel still playing with themes and wants to raise prices for that 2 hours of work of ugly themes and bugs

 

[Rhuan]

This is what happen when cPanel try to focus on make money with price increases and ugly themes instead of important things, this thread was created in jun 2020 and cPanel just let it pass, now that this exploded they are over time trying to fix it or figure how to workaround this.. meanwhile thousands of users and servers are facing this and dealing with this and waiting for a cPanel fix or telling clients that they need to reconfigure their mails clients, thousands of clients dont even know how to put a mail account on their devices and they depend of support teams or tech guy... imagine that suddenly nobody in your company can access to their mail account and you have employees in other countries that depend of mails... how can you deal with 100 devices to reconfigure them? now multiply this by all companies affected by this and in pandemic with home office... but cpanel wants to raise prices and that is more important for them...

I agree with you, that's total disregard for customers and a lack of planning.

 

[mysterygang]

Any solution? I got 23 calls on my phone in 30 minutes from costumers...